New project tackles security advisories in the PHP world

The PHP Security Advisories Database is also at the heart of the Roave Security Advisories, a Composer-ready PHP library that can be embedded within any PHP project.

"Roave/SecurityAdvisories uses FriendsOfPHP as its data source to build a conflicting set of require statements to prevent insecure dependencies from being installed," Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprise, told Bleeping Computer.

This means that any PHP developer can embed this library in his PHP project and prevent the accidental deployment of vulnerable code.

Better protection against unpatched flaws, zero-days

But recently the FriendsOfPHP database got a boost. Following a series of discussions and modifications to the code, the database can now reliably embed information on projects that contain unfixed vulnerabilities [1, 2, 3].

This update means an extra layer of protection against abandoned libraries and the ones affected by zero-days.

Since the updates were made in the FriendsOfPHP database, they also trickled down to the Roave/SecurityAdvisories library as well.

This means the next time PHP developers will attempt to build their project, they'll get a Composer error if one of the project's libraries is vulnerable to a yet-to-be-patched flaw.

"More generally, the 'how to handle advisories for projects that haven't fixed them yet?' question has been answered, so this should become a reliable way to stop people from running vulnerable code," Arciszewski says.

PHP is getting safer, one small step at a time

While PHP has been the butt of all programming jokes in the past decade for various reasons, there have been strong efforts to improve the language's performance [1, 2, 3, 4] and security [1, 2].

With the recent work on the FriendsOfPHP database and Roave/SecurityAdvisories projects, it is pleasant to see that PHP developers have slowly started to understand that web applications should also be secure from hackers, and not just a collection of speed optimizations and shiny user interfaces.

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.